Malware targeting Android devices has long exploited the accessibility services API to silently harvest credentials and sensitive data — a problem well-documented across banking trojans and spyware campaigns. Google is now moving to close that avenue at the operating system level.
The change appears in Android 17 Beta 2 and applies specifically to users who enable Advanced Protection Mode (AAPM). According to the announcement, any app not formally classified as an accessibility tool will be blocked from using the accessibility services API when AAPM is active. Apps that already hold that permission will have it automatically revoked the moment the mode turns on. Users cannot manually override this — granting the permission back requires disabling AAPM entirely.
The classification boundary is deliberately narrow.
Google designates only four categories as legitimate accessibility tools: screen readers, switch-based input systems, voice-based input tools, and Braille-based access programs. These are identifiable by the isAccessibilityTool=”true” flag in their configuration and remain fully exempt from the restriction. Antivirus software, automation tools, assistants, monitoring apps, cleaners, password managers, and launchers all fall outside this definition and will lose access under AAPM.
AAPM itself was introduced with Android 16, framed as an opt-in high-security mode comparable to Apple‘s Lockdown Mode — one that accepts reduced functionality in exchange for a smaller attack surface. Its existing protections include blocking app installation from unknown sources, restricting USB data signaling, and requiring Google Play Protect scanning. Developers can detect whether a user has enabled the mode via the AdvancedProtectionManager API, which allows applications to automatically adopt stricter internal settings in response. “Developers can integrate with this feature using the AdvancedProtectionManager API to detect the mode’s status, enabling applications to automatically adopt a hardened security posture or restrict high-risk functionality when a user has opted in,” Google stated in its Android 17 feature documentation.
Separately, Android 17 introduces a revised contacts picker that gives developers more precise control over what contact data their apps can request. Rather than requesting broad access to a user’s full contact list, developers can now specify individual fields — phone numbers or email addresses, for example — or allow users to selectively share specific contacts with a third-party app. “This grants your app read access to only the selected data, ensuring granular control while providing a consistent user experience with built-in search, profile switching, and multi-selection capabilities without having to build or maintain the UI,” Google said.
More Read
The accessibility API restriction is currently part of Android 17 Beta 2, with the feature first reported by Android Authority ahead of Google‘s documentation going public.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
